CVE-2021-27406
Published: 14 October 2022
Summary
CVE-2021-27406 is a high-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Perfact Openvpn-Client. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 49.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-14160
Vulnerability details
An attacker can take leverage on PerFact OpenVPN-Client versions 1.4.1.0 and prior to send the config command from any application running on the local host machine to force the back-end server into initializing a new open-VPN instance with arbitrary open-VPN…
more
configuration. This could result in the attacker achieving execution with privileges of a SYSTEM user.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Provides fallback sources for configuration or settings when the primary is externally corrupted or controlled.
The policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications.
Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings.
Requires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings.
Impact analysis of configuration changes reduces the risk of deploying settings that permit unauthorized external control.
Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval.
Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings.
The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings.